17 Steps to Secure Your Home Wi-Fi Network

Anup ThapaBy
secure wifi

Wi-Fi networks, by design, are prone to vulnerabilities due to the fact that the signal is broadcasted wirelessly. The transmitting devices are always communicating with foreign devices, receiving packets of data.

Someone with the right skillset could easily intercept these packets. Such data from Wi-Fi networks can be decrypted and used to snoop in on sensitive info or used to gain access to the network.

If you’re only trying to secure your home Wi-Fi from your neighbors, basic steps like using strong passwords and encryption will suffice. However, if you want to ensure your Wi-Fi is safe even against hackers, you’ll need to cover all bases.

How to Secure Home Wi-Fi Network

We recommend following the article’s outline, as the fixes have been organized in order of ease and importance. 

Step 1: Basic Security Steps

The first step is to follow fundamental practices like setting stronger passwords and using secure encryption.

Physically Secure Router

easily accessible router placement

We’ll begin with an extremely important security step. If your router is easily accessible, even people that you haven’t shared the password with could access the Wi-Fi.

For instance, they could use an Ethernet connection or features like WPS to connect to the Wi-Fi. Additionally, they could then use the login credentials from the router’s back panel to eventually decipher the Wi-Fi password. Or they could even reset the router and gain access that way.

People piggybacking on the Wi-Fi without the owner’s knowledge or consent is a common story, but it’s usually not a huge deal. However, if someone with malicious intent gains access to your network, they could model the router behavior to their benefit. This can range from simple piggybacking to serious threats like Man in the Middle (MiTM) attacks.

Change Router Password

A lot of users don’t bother changing the router’s login credentials as they think a strong Wi-Fi password is enough. But there’s no point to that if someone can simply use the router’s default credentials to log in and change the settings.

  1. Check the back of the router for the default access values (router IP and login creds).
    router login details back
  2. Launch any web browser and enter the router IP into the URL bar.
  3. Enter the login details to access the router dashboard.
  4. Go to the System, Advanced, Administration, or similar tab.
    change router password tplink
  5. Set a strong router password here and save the changes.

Some routers can be configured to only allow management console access from wired LAN connections. If your router supports a feature like this, enabling it could further minimize the chances of unauthorized wireless access.

Use Strong Wi-Fi Passphrase

It’s crucial to use a long and complex Wi-Fi passphrase with AES encryption. Basic passcodes like password, your router or Wi-Fi’s name, or your phone number can be easily guessed by most people. If a hacker is trying to gain access to your Wi-Fi, they could use penetration testing tools to test if common passwords or sequences of letters/number work. 

Your passphrase should contain multiple words with a mix of uppercase, lowercase, numbers, and symbols. A passphrase like #Ch@nged1nJ@nu@ry# is memorable and very hard to crack, whereas common passwords like qwerty or 0123456789 would be cracked in no time.

With all this in mind, here’s how you can change your Wi-Fi passphrase:

  1. Login to the router dashboard. In some cases, you may need to switch to Advanced mode.
  2. Go to the WLAN, Wireless Security, Wireless Settings, Wireless Advanced, or similar tab.
    change wifi password basic
  3. Set the passphrase here and save the changes. 
  4. Repeat the same for additional bands if you’re using a multi-band router.

Set Up Wi-Fi Encryption

A strong password is just one part of the puzzle; using a secure encryption standard is just as important. Older security and encryption protocols like WEP, WPA, or TKIP are easily exploitable using current technology and, thus, are no longer considered secure to use.

At the minimum, you should configure your router to use WPA2-PSK (personal) with AES encryption. Setting theoretical possibilities aside, this will make your home Wi-Fi practically uncrackable.

Of course, if your devices are compatible, or if you have the necessary skills and resources, security modes like WPA3 or WPA2-Enterprise are even more secure. But for most home networks, WPA2-PSK will be sufficient.

With that said, here’s how you can configure the security and encryption modes on your router:

  1. Access the router dashboard and enable Advanced mode.
  2. Switch to the WLAN, Wireless Security, or similar tab, as done earlier.
  3. Set the security mode to WPA2-PSK, WPA2-Enterprise, or WPA3, as appropriate. For WPA2-Enterprise, you’ll also need to enter the credentials of a RADIUS authentication server.
    wifi wpa2 psk aes
  4. Set the encryption mode to AES and save the changes.

Step 2: Disable Common Vulnerabilities

The previous section covered the most important dos for securing your Wi-Fi. This section will focus on what you shouldn’t do.

Update Firmware

Before proceeding further, we recommend checking if any firmware updates are available for your router. Most routers receive firmware updates once every 1-2 years. It’s important to install these updates as they generally contain patches for recently discovered vulnerabilities.

update-router-firmware-upgrade

As long as you’re using the latest firmware provided by the manufacturer, you’re good to go. But if you want to go the extra mile, you can flash custom firmware like DD-WRT, Tomato, OpenWRT, etc., which tend to be more secure than standard firmware. In addition to removing various vulnerabilities, they also give you much more control over your network.

Turn off WPS Pin

The Wi-Fi Protected Setup (WPS) feature allows you to connect devices to the Wi-Fi without entering a password. Instead, you can press the WPS button on the router and a similar physical or virtual button on your devices to connect them to the Wi-Fi.

The second method is to enter the 8-digit WPS Pin printed on the back of the router when trying to connect. In either case, if someone has physical access to the router, they could easily access the Wi-Fi even without the password.

Placing the router in a physically secure spot can help with this. But in most cases, it’s better to just disable WPS altogether.

  1. Login to the router dashboard and go to the Wi-Fi, WLAN, Wireless, or similar tab.
  2. Go to the WPS section and select Disable.
    turn-off-wps-router
  3. Save the changes when you’re done.

Disable UPnP

Universal Plug and Play (UPnP) is meant to ease device discovery and facilitate connectivity across a network. It essentially simplifies the initial configuration process so that you can connect a device to the network, and no additional steps are required. But this convenience comes at a cost.

As UPnP doesn’t implement any authentication by default, UPnP-enabled routers will open requested ports automatically. In a local network, this wouldn’t be a huge deal. But a flaw in UPnP IGD devices allows UPnP requests from the internet. Unauthorized users could gain access to such devices by exploiting this flaw.

In a home setting, users typically use UPnP to install devices like printers or for things like game consoles. Unless you absolutely need it, it’s best to keep this feature disabled.

  1. Access the router dashboard and switch to Advanced mode.
  2. Go to the NAT Forwarding or similar tab.
    disable-upnp-router
  3. In the UPnP section, disable UPnP and save the changes.

Disable Remote Management

Routers will often have Remote Management enabled by default so that ISPs and technicians can remotely access and service the router as required. This feature can be very useful, but leaving it permanently exposed to the internet is not the best idea. Instead, we recommend disabling it and only turning it on when required.

  1. Login to the router dashboard and switch to Advanced mode.
  2. Go to the System Tools, Administration, or similar tab.
    router-local-management-remote-management
  3. Toggle off the Remote Management option and save the changes.

SSID Broadcast

A very common piece of advice when it comes to securing the Wi-Fi is to disable the SSID broadcast. And it might even make sense to some; people can’t access what they can’t see, right? Don’t bother with this.

ssid broadcast router

Hiding the SSID is security by obscurity – it’s basically useless and only gives users a false sense of security. Anyone with basic knowledge of network detection tools can use said tools to find the SSID.

Even worse, client devices that have connected to this Wi-Fi before will constantly be broadcasting to check if the network is available. All this does is drain your device’s battery faster.

MAC Address Filtering

Another commonly suggested security measure is MAC Address Filtering. The Network Interface Controller (NIC), i.e., the network card on your devices, has a unique hardware address called MAC Address. 

The idea is to use this unique identifier to only allow select devices to access the network. Or to block certain devices from accessing the network.

mac filtering whitelist

If you want to use features like Access Control and Parental Controls, maybe set time limits on how long your kid’s device can connect to the Wi-Fi per day, this can be useful.

But when trying to secure your Wi-Fi against actual threats, this feature can be deceiving (in a bad way). Pen-testing tools like Kismet, Fluxion, Ethereal, etc., allow users to check which MAC Addresses have network access from outside the network. On most platforms, spoofing a device’s MAC Address to a valid one is very simple, which renders MAC Filtering pointless.

Step 3: Enable Security Mechanisms

This portion covers some optional but worthwhile practices you can follow to further strengthen your Wi-Fi.

Enable Firewall and DOS Protection

Some of your router’s built-in security mechanisms, like the firewall, will be active by default. Other ones, like DOS Protection, may need to be enabled manually. You should check and ensure all such security features are active with the following steps:

  1. Access the router dashboard and switch to Advanced mode.
  2. Go to the Security or similar tab. Ensure the security features like router firewall, DOS Protection, etc., are enabled here and save any changes made.
    spi-firewall-dos-protection
  3. Some routers may even allow setting different levels of firewall protection. The levels are defined differently according to the manufacturer, so you can press the Info/Help button and use the appropriate protection level for your specific case.

Set Up Guest Network

Most modern routers support the guest networking feature, which allows you to set up a separate network using the same router. Whenever you need to share the Wi-Fi with people outside of your family, you can give them access to this secondary network.

For starters, this means you won’t have to share the main Wi-Fi’s password. You can also control what level of access devices on that network have with features like AP Isolation. And when you don’t need the guest network, you can simply turn it off.

  1. To start, log in to the router dashboard and check the Wi-Fi, Wireless, Advanced, or similar tabs.
  2. Go to the Guest Network section and toggle it on.
    turn on guest networking
  3. Configure the guest network’s SSID and security options and save the changes.
    setup guest networking
  4. Fine-tuning the network access level and network discovery may or may not be doable, depending on the router. If you do configure these settings, don’t forget to save the changes afterward.

Monitor Network Traffic

Monitoring your network traffic is a good practice in general, but it can be especially useful if you suspect any unauthorized users are piggybacking on your Wi-Fi. It may also be required for some of the security mechanisms covered earlier, like DOS Protection. In any case, here’s what we recommend:

  1. Generally, you’ll land at the Home, Status, Network Map, or similar tab after logging into the router dashboard. Check the list of connected devices here. You may also need to check the DHCP Clients list for this.
    router-wired-wireless-clients
  2. Note the Client Name, MAC Address, and Assigned IP. If you find any suspicious clients listed here, go to your device’s Wi-Fi settings and compare the noted values.
  3. After checking all of your devices, if you find any unauthorized devices, you can remove them from the Wi-Fi.

These basic steps to check for unauthorized users will be enough in most cases. But if you also want to monitor the network traffic and perhaps set volume limits, here’s what you should do:

  1. Switch to Advanced mode and go to the Administration, Advanced Setup, or similar tabs.
  2. Go to the Traffic Meter or similar section and toggle on the Monitoring feature.
    router-traffic-statistics
  3. The configuration options for this traffic meter vary according to the router. So, press the Info button at the bottom or side of the page to get a detailed explanation of each option. Then, simply monitor the traffic or set volume/time limits according to your preference.

Now, traffic monitoring may or may not be supported depending on the router. As an alternative, you can also use programs like Wireshark or Windows’ Resource Monitor to monitor your network. 

AP Isolation

enable ap isolation router settings

AP Isolation basically sets up a filter that allows wireless devices to only communicate with the router. This isolates the devices and prevents client-to-client communication, adding an extra layer of security.

It’s mainly used in public Wi-Fi hotspots, where a large number of users are connected, and some may have malicious intentions. Setting up a guest Wi-Fi network is generally a better alternative for home use. 

This restricts any unwanted devices to the secondary network, and you’ll still be able to access necessary clients (e.g., NAS). However, if your router doesn’t natively support guest networking, or you simply prefer AP Isolation, it’s certainly a viable option.

Step 4: Advanced Security Principles

At this point, your home Wi-Fi is more than secure. But there are some advanced practices you can look into to improve your Wi-Fi security a step further. Do note that some of these methods are overkill for the average home Wi-Fi and not worth the hassle.

Disconnect Router When Not in Use

disconnect router when not in use

Turning off the router when you don’t need it has various pros and cons. The main advantage is obviously improved security. If your router isn’t broadcasting the Wi-Fi, hackers won’t have any packets to try offline brute-force or similar attacks to start with.

The problem with this is that IoT devices are very popular these days. You might have things like security cameras or garage doors connected to the Wi-Fi. Disabling the Wi-Fi would prevent you from remotely managing such devices.

Ultimately, you’ll need to weigh the convenience and security benefits to decide if this method is worth it for you.

Adjust Signal Range

Like the previous point, adjusting your Wi-Fi signal range also has various pros and cons. The idea is that by limiting the broadcast range to only within your house or compound, anyone outside the range won’t see the Wi-Fi. And this is partly true.

5 GHz Wi-Fi has lower penetration power and thus a lower range compared to 2.4 GHz. Using only 5 GHz Wi-Fi, adjusting the router’s TX Rate, or removing detachable antennas can all be easy ways to reduce the Wi-Fi’s range. 

We’ve seen cases where people gave Wi-Fi access to neighbors but didn’t want them to be on the Wi-Fi all the time. Sure it’s very specific, but this can help in such cases. Ultimately, it’s not very practical or effective in terms of security though.

Fine-tuning the exact Wi-Fi range is a fairly difficult process. You might decrease the router’s transmission strength to only inside your home, and then you realize the signal doesn’t reach your bedroom now because there are too many obstructions in the signal path.

wifi signal vs walls

Even if you fine-tune the range perfectly, it’s still useless against dedicated hackers. For instance, wardrivers typically use high-gain antennas, which allow them to hear wireless signals from far away. To effectively control the signal range, you’d need a shielded home.

Generally speaking, this will worsen the usability of your network without providing many security benefits. In fact, it might even leave you vulnerable to an Evil Twin attack through tools like Karma. But it does still have some niche use cases.

Keep Network Updated

A common mistake when securing home Wi-Fi networks is only patching vulnerabilities on the router’s end. Your client devices must also be secured properly, as you don’t want that to be the weak link after all this work.

This means it’s important to use reliable antivirus and firewall tools as appropriate for the device’s platform. Keeping the system and firmware updated is also important, particularly in the case of IoT devices which tend to be vulnerable compared to PCs and smartphones.

Separate IoT Devices

Tying into the previous point, IoT devices tend to be configured with little to no security or authentication mechanism. In fact, they’re typically set up with weak credentials (e.g., admin-admin, admin-password) and support insecure and outdated protocols like HTTP.

As such, your IoT devices should ideally be kept away from your main Wi-Fi. Instead, you can set up a separate wired network with a secondary router or create a separate VLAN and use it exclusively for IoT devices.

Additionally, you should take further steps like setting up two-factor authentication (2FA) and preferring wired connections rather than wireless for such devices.

Other Security Methods

Ok, we’re heading into paranoid territory now. For most home users, these are overkill and not worth the time or effort. But if you want to max out your Wi-Fi’s security anyway, here are some additional things worth looking into:

  • We’ll start with a fairly tame solution. Stick to trusted and time-tested brands and devices when it comes to networking hardware.
  • Use firewall operating systems like PFsense or SophosXG. You can install these on a physical machine or a VM as you prefer.
  • If your router allows you to reset the firewall, you can configure the firewall rules from scratch. It’ll be a hassle to open ports manually at first, but ultimately, this will allow for the highest level of control.
  • You can set up authentication servers like RADIUS and Kerberos to ensure that only authorized users can access the network and its resources.
  • We’ve also seen some cases where users were concerned that the admin (family or landlord) was snooping in on their internet history. If you’re similarly concerned about your privacy, you can use a VPN, TOR Browser, or maybe even set up a TOR access point. VPNs and TOR should also be used whenever you connect to public Wi-Fi.
  • We’ll conclude with a simple but important practice. Always use HTTPS. By encrypting and verifying all HTTP requests and responses, it protects against MiTM attacks. This is extremely important on public Wi-Fis, but it’s a practice that should be followed on home Wi-Fis as well.

Anup Thapa primarily covers Windows systems, networking, and computer hardware at TechNewsToday. Anup has been writing professionally for almost 5 years, and tinkering with PCs for much longer. His love for all things tech started when he got his first PC over 15 years ago. It was a Pentium IV system running Windows XP on a single 256 MB stick. He spent his formative years glued to this PC, troubleshooting any hardware or software problems he encountered by himself. Professionally, Anup has had brief forays into a variety of fields from coding and hardware installation to writing. In doing so, he's worked with people of different backgrounds and skill levels, from average joes to industry leaders and experts. This has given him not just a versatile skill set, but also a unique perspective for writing that enables him to concisely communicate complex information and solve his reader's problems efficiently. You can reach out to him at anup@technewstoday.com.

Related Posts

Add A Comment

Leave A Reply